CakePHP 2.3.6 released

The CakePHP core team is proud to announce the immediate availability
of CakePHP 2.3.6[1]. 2.3.6 is a bugfix release for the 2.3 release
branch. Since the release of 2.3.5 there have been 64 commits and 17
tickets resolved.

The CakePHP core team is proud to announce the immediate availability
of CakePHP 2.3.6[1]. 2.3.6 is a bugfix release for the 2.3 release
branch. Since the release of 2.3.5 there have been 64 commits and 17
tickets resolved. A short list of the changes you can expect is:

Security disclosure

There were 3 recent security releases for CakePHP. With the goal of
being open and transparent, and holding true to our previous
commitments, below are more detailed descriptions of each problem.

Authentication forms

Authentication forms were vulnerable to query manipulation through the
addition of additional POST data. Forms that were not also protected
by SecurityComponent were vulnerable. If in a login form you had:

When the form was submitted, the $conditions used to log the user in
would have the value of:

"OR" => array(
"id like" => 1,
"username like" => "%admin%"
)

This issue was introduced accidentally when adding support for
blowfish authentication. The issue was resolved by treating any non-
scalar conditions when authenticating users as a failure. This issue
was corrected in this commit c327bd. Thanks to Magnus Andersson for the
report and patch.

Pagination SQL injection

Through manipulation of the model alias used to sort a pagination URL,
arbitrary SQL could be executed. This issue effected the 1.2, 1.3, and
2.x series of releases and was accidentally introduced 5 years ago.
PaginatorComponent only validated the field name, but not the model
alias. This meant that any SQL contained in the alias would be inlined
as SQL. An example exploit URL would look like:

The above URL injects a DELETE query into the pagination request which
would be executed without sanitization due to it being a sort key.
This issue was fixed by ignoring the user data and using the known
model alias in this commit 6017db. Thanks to ‘Ahmad’ for reporting the
issue on lighthouse and helping the CakePHP team find a fix.

Cross site scripting through webroot

By manipulating the URL an attacker could generate an error page that
allowed the execution of arbitrary javascript. The webroot property on
the request object was incorrectly trusted as safe even though it
contained user input. An example exploit could look like:

The solution to this issue was to urlencode the user supplied webroot
property when the request object is created. This makes generated
URL’s safe to use in all normal contexts. The fix for this was applied
in this commit db6dd1.

I’d like to thank the various people who reported the security issues
and assisted in getting them fixed. I’d also like to thank all of the
contributors who help keep CakePHP cooking. Without you there would be
no CakePHP. Download a packaged release[2].